Do Giant GDPR Fines Apply to Data Breaches that Occurred Before May 25?

Do Giant GDPR Fines Apply to Data Breaches that Occurred Before May 25?

Although there is as yet no clear-cut answer from the EU, it seems that yes, they do.



By Morten Boel Sigurdsson, Founder of Omada & President Omada North America

Can authorities issue giant GDPR fines related to data breaches that occurred before May 25 but were discovered after May 25?

Although there is as yet no clear-cut answer from the EU, it seems that yes, they can.

A European Commission official recently stated that data breaches that happened before 25th May, but kept undisclosed, would also be liable for GDPR fines, citing among others the fact that the deadline has been public for well over a year (in fact since April 14 2016, when the legislation was approved by the EU). The first test case to emerge is in the UK.

In mid-June, it emerged that UK firm Dixons Carphone suffered a data breach comprising 5.9 million customer cards and 1.2 million personal records. The colossal breach is the largest in UK history and although it happened before the GDPR official start date of May 25, the UK’s Information Commissioner’s Office has announced that it is investigating whether the data breach should be treated under GDPR regulation. This would mean a fine of up to Euro 20 million or 4% of the annual turnover, whichever is greater – in this case a potential fine of a staggering £400 million. 

The difference between whether the data breach is fined under the previous or the new legislation is significant – under the UK Data Protection Act 1998, non-compliant organizations could face fines of up to £500,000, whereas the GDPR’s Euro 20 million or 4% of the annual turnover is somewhat higher. Whatever the organization is fined by, the reputational damage is already significant.

While this case is already being called potentially the first of the GDPR mega-fines, the news has rocked the UK, not least of all Dixons Carphone, where shares have unsurprisingly already plummeted.

The GDPR is one of the most talked about legislations in recent time, changing the culture of data handling and giving power back to the citizens. The cases that are emerging illustrate that non-compliance and lack of data control can have dramatic consequences not only for affected citizens but for the organizations involved.

The legislation is not crystal clear, and it will be interesting to see how the different local regulators will interpret the legislation and fine those who have been non-compliant going forward.

However, one thing is clear. Compliance has for all organizations in the GDPR era become a licence to operate.

Learn more about Omada's approach to GDPR compliance


Omada Founder and President (NA) Morten Boel Sigurdsson has more than 25 years of experience providing innovative IT related services and solutions for large global organizations. He has a background from SAP and A.P. Moller Maersk.




EU GDPR Articles

Eight General Misunderstandings about the EU GDPR

In our dialogue with various organizations, we experience a great deal of misunderstandings in terms of what actions to take and how to initiate them. Therefore, we have gathered the most common misunderstandings about the new regulation here:

Read more

Is your Data Covered by the EU General Data Protection Regulation?

The core of the EU GDPR is the concept of “personally identifiable data.” This should be interpreted very broadly as “data, which can identify a specific person.”                                                                                                                                                                                  

Read more

Eight Steps to Ensure that Your Data Protection Measures are in Place

Organizations that have not done so already, have to start thinking in very pragmatic terms about what impact the GDPR will have on employees, processes, and technologies, and which measures to take to diminish business risk and get compliant in time.

Read more

Blog: New EU Regulations put your Business at Risk

The  EU GDPR creates an asymmetric risk, in which the risk that the supplier is asked to cover, most often far exceeds the value of the commercial agreement.                                                                                                                                                                                                               

Read more
Keep updated about EU GDPR and IAM. Subscribe to Omada's newsletter and receive information about the latest EU GDPR articles, events, and product releases.